ClawHub

Memory Sync CN

Security checks across malware telemetry and agentic risk

Overview

This is a coherent memory-sync skill, but it can copy sensitive local memory and daily-log contents, including API-key and account sections, into a persistent searchable memory backend without strong warnings or filtering.

Install only if you are comfortable having MEMORY.md and daily logs copied into CortexGraph. Before running sync, remove API keys, tokens, passwords, account details, and other secrets; use dry-run/preview modes first; and keep backups before running GC or consolidation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents a garbage-collection command that deletes low-score memories, but the warning is minimal and the transition from dry-run to destructive execution is easy to miss. In a memory-management context, this can cause unintended data loss, especially because users may treat markdown examples as safe copy-paste commands.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The weekly maintenance section recommends running destructive operations such as gc and apply-mode consolidation without emphasizing permanence, review steps, or rollback options. Because these are framed as routine maintenance, users may execute them automatically and unintentionally delete or alter memory state.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script automatically reads a daily log from the user's home directory and sends its full contents to an external memory backend without any consent prompt, sensitivity check, or content filtering. Daily logs commonly contain credentials, personal data, internal notes, or other sensitive material, so silent transmission increases the risk of privacy leakage and unintended exfiltration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a local MEMORY.md file from the user's home directory and transmits its contents to an external memory service via mcporter call cortexgraph.save_memory, but provides no consent prompt, preview, redaction step, or clear notice at the point of exfiltration. Given the section mappings include potentially sensitive categories such as API keys, identity, account information, and file locations, this can leak highly sensitive local data into another system unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal